Help needed for OpenVPN/PBR behind CG-NAT

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
raulo1985
DD-WRT Novice


Joined: 21 Jun 2019
Posts: 23

PostPosted: Tue Mar 22, 2022 20:33    Post subject: Help needed for OpenVPN/PBR behind CG-NAT Reply with quote
Hi, first of all, thanks to BS and all the members of this community, I’ve been using DD-WRT for a long time with great results. Great firmware, great community, can you ask for more?

Well, in my case, yes because I need some help 😬. And I’m kind of in a hurry, I’m at my parent’s house now til the weekend and need to sort this out before leaving (more details below). Here’s the scenario:

Note: Sorry for the long post, but I want to give you every (hopefully useful) detail you may need to help me with this matter. Details of configured devices/networks at the bottom.

Note 2: sorry for my English 🤷🏻‍♂️

The story:

I’m configuring a network in my parents house (like 2,000 kms away from my house), and I’m installing some devices with local static ips (ip cameras, smart plugs, a printer, a Smart TV, etc). I’m disabling dhcp and dnsmasq on the main router (DD-WRT), I’m mainly using it for static leases, port forwarding, etc, and for receiving the internet through the WAN port. The dhcp part comes with a mesh system (Google Nest Wifi. I know many people don’t like it and that you can’t tweak almost nothing, but it’s what I got and it just works for what I need). I’m connecting it to a lan port of the primary router, just to get internet for them (they mainly do things like browsing, Netflix, etc. They don’t know anything about tech stuff, and the house is big, so a mesh system with dhcp works wonders for them). I configured the WAN port of the mesh system as a static ip inside the main router subnet, and connected the WAN port of the mesh to a LAN port of the main router. Mesh system is on another subnet obviously, and with dhcp enabled.

I just don’t want to go only with the mesh system. Easiest thing would be to just go modem -> WAN of the mesh, but I need the port forwarding and that mesh system doesn’t allow that. Besides, I like the idea of having DD-WRT as primary router for stability for the cameras, and I just feel more secure being behind DD-WRT’s firewall.

I’ve done this type of configuration before with great results (in fact, the exact same concepts apply to my house, and it’s been working great for years), so I know it works and know how to do it. So, I’m making the exact (and I mean, exact) same configuration in my parents house, but here comes the problem/only difference: my parents house is a little far from the city and can’t get cabled internet, so I went the 4G LTE modem route (I bought a Netgear lm1200. Works great). So, the only difference between both networks (my house and my parent’s) is the modem that connects to the WAN port of the DD-WRT main router (both automatic dhcp), mine is a regular broadband modem with dynamic ip (so when I need to access my network when I’m traveling port forwarding is already set and ddns configured in DD-WRT is the answer, and it works), but with the lm1200 (bridged) at my parent’s… guess what? CG-NAT (and I already tried to ask the company for a dynamic or static ip even paying them, and there’s not a chance).

One important thing: one of the main things I need to sort out is that we need their ip camera (which doesn’t connect to a cloud service, I can only see it / configure it through ip and its respective ports. One port for gui, one for actually watch through it) to be permanently accesible from everywhere. So CG-NAT with an ip camera that can only be accessed by ip/hostname is already a problem.

So, I’m stuck with CG-NAT and because of that port forwarding with ddns is out of the table, and I really need some ports to be forwarded. And also because I want to be able to configure and troubleshoot their main DD-WRT router (and cameras) from my house, and can’t do it if its public ip it’s double natted at isp side.

So, what I’m trying to do (before giving up) is going the OpenVPN route.

First of all, I have to mention that VPN is a new world to me, I’m still learning, but I already know some basic stuff. I already managed to create certificates/keys and connected (server-client) my main DD-WRT router to theirs, successfully (apparently).

My questions/ issues are:

- My most basic question: for the intended purpose of what I’m doing, the OpenVPN server should be my DD-WRT router, or theirs (and which one should be the client)? The tunnel should be permanently working, they are double natted and I need a working public ip for them with the possibility to port forward because, well, you never know when you will want to watch through the camera. And they can’t mess with DD-WRT or any tech stuff (and I’m not always available to help them with that, and live far away from them), they just open their Iphone app to watch the camera (and the app, in the case of my house, accesses my personal ip camera through ddns and its media port without issues. I hopefully want the same for them). I know it’s a pretty basic question, but which router should be the server and which one should be the client in this situation, where I want a permanent tunnel and the ports to be forwarded are the ones inside their network and not mine?

- In some cases I may only want certain ports to go through the vpn tunnel, while others (of the same device) to go through their/mine regular isp. I’m looking into pbr for that (new stuff for me, I’m learning), but I don’t know if it can be port based, or if it’s only device/local ip based. Is that possible? Some devices have more than one port, and I only want some of them to (permanently) go through the tunnel, and the others through the isp route.

- Perhaps another basic question: in this particular situation, how can I access DD-WRT GUI (of my parent’s router) from everywhere to troubleshoot if necessary? I do it all the time with mine, but in my case I just browse to my hostname:DD-WRT GUI port. DDNS obviously is not an option at my parent’s. Would pbr work in the case of the router’s GUI itself? If so, how can I configure it and how do I access it? Connecting to my router (one end of the vpn tunnel) and pbr set at my parent’s router? If so, how can do that if their router’s GUI has a port that’s not the default one? Again, this is because of my ignorance about this matter, I just don’t know yet how to call for a specific port of a specific device that’s behind a CG-NAT through a vpn tunnel (if possible).

I’ve looked into site to site vpn routing, but I think that’s not an option for me. I really don’t need a permanent single subnet between the two locations, and I could enable the vpn on my router per demand when I want to troubleshoot, but I need the 24/7 availability of the ip camera. And I don’t know what happens with internet traffic when doing site to site routing (like I said, I want both locations to use their respective isp for almost everything else besides troubleshooting and the ip camera, which are the problem here because of being double natted).

To sum up, what I want is to have both networks to use their own isp for almost everything, except that I need permanent 24/7 access to certain devices/ports in both locations (mine is not an issue, I’m not double natted at isp side) from everywhere, and CG-NAT at my parent’s is making me bang my head against the wall. And their isp doesn’t even give the option to pay for a dynamic/static ip (and I can’t go with another isp either. It’s the only one with decent coverage there).

I’ve read a lot about these topics these days before looking for help, but I’m running out of time before leaving 🤷🏻‍♂️

Devices/configurations:

- Both primary routers (my parent’s and mine) are R7000, and both with 40270 Kong firmware. Both started from scratch, nvram erase before and after flashing.

- Both routers with different subnets. Mine 192.168.1.1, theirs 192.168.11.1, both with dhcp and dnsmasq disabled and every important device has static ip.

- At my parents, Google Nest Wifi router’s WAN port is connected to a LAN port of the main router, its WAN port is set to a static ip inside the main router subnet, and its LAN network is on another subnet. It just works.

- At my parent’s, internet comes from a Netgear lm1200 4G LTE modem. CG-NAT, double natted at isp side and there’s nothing I can do to change that. It’s bridged, and connected to the WAN port of the main router (automatic dhcp). The entire network works, I have decent internet, all the devices have their respective static ip and working without issues. And for smartphones, guests and things like that, the wifi mesh works properly and assigns ips by dhcp on a different subnet.

- In my house, same configuration, the only difference is that I have a dynamic ip so I use DD-WRT DDNS feature to access my network from the outside. Port forwarding works as it should.

- 5 Ghz wifi disabled at both routers, 2.4 enabled (wpa2, AES) at both. I have 2.4 Ghz enabled because I use it for Smart TVs (each configured with static ips, since dhcp is disabled) and a wireless printer (also static ip).

- All the other settings are set at default (except custom ports for DD-WRT GUI remote management for both main routers).

- And about OpenVPN, I used easy-rsa 3 for the certs/keys, both using udp protocol, adaptive compression, TUN, standard port (1194), and network ip at the server set at 10.10.10.0 and 255.255.255.0 netmask (not sure about these two settings, though). All the other OpenVPN settings are left at default on both routers. At least the status page says at server side that the connection is successful and shows the correct public ip of the client (the real public ip. For the meantime I’m just testing, and the server is my router at home and the client is my parent’s router, but I’m still confused if it shouldn’t be the other way around). But since VPN stuff is new to me and since I haven’t had the chance to really read about the topic because of the hurry, I managed to get to this point, but I still don’t quite know how to use the VPN tunnel for my intended purposes.

Hope you can help me, and sorry for the long post, but I really need to solve this and I only have like four days left at my parent’s to make everything work. Hopefully you can point me in the right direction, and also thanks in advance.

PS: I forgot. I don’t have the chance to leave a notebook or something like that to troubleshoot through TeamViewer from my house, my parents only have smartphones and I don’t have the time to go and buy a cheap notebook or build a small server (which would be the ideal solution. Perhaps on another visit).
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Tue Mar 22, 2022 21:29    Post subject: Reply with quote
Build 40270 is very old and no longer supported and has safety issues.

Upgrading to a recent build is highly recommended (current is 48540)

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

A VPN *server* (OpenVPN, WireGuard etc) needs to be accessible from the internet.
Behind CGNAT that usually is not possible.

So the only option is to run a Client on your parents house and the Server on your house.

With a site-to-site setup the servers side can reach the client side (and of course the other way around).

You use the site-to-site setup only for the local traffic, normal internet traffic goes out via the WAN.

See the OpenVPN server setup guide which has a chapter about site-to-site setup:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
raulo1985
DD-WRT Novice


Joined: 21 Jun 2019
Posts: 23

PostPosted: Wed Mar 23, 2022 13:47    Post subject: Reply with quote
Thanks for your reply, I really appreciate it (I really mean it).

Regarding the firmware version, I went with last Kong’s version because I’ve been running that one on my R7000 since Kong left the project, and it’s been rock steady. And since Kong tested his versions with his routers (and I read that R7000 was one of the most tested routers by him), I never felt the need to upgrade. I usually don’t use fancy/advanced stuff, VPN is the most advanced feature I’m starting to use. And since stability is my main concern (more than performance) because I can’t travel 2,000 kms every time there’s a problem, I went with what I felt was the safest choice. But now that I’m going to use OpenVPN, I guess there’s been improvements on that area since that version, so I’ll take your advice and will flash the last BS build today 👍

As for the solution you mention, it sounds good to me. I wasn’t sure about what happened with normal internet traffic when doing a site to site setup (like I said, I never learned about VPN before and I had to learn all I could about it in a couple of days because of this). I was afraid that some of it went through the tunnel, making my parent’s internet stability/performance dependent on my isp/router, but thanks for clearing that out for me 👍.

So, bottom line, and since you read what I wrote and know my setup and situation (again, thanks for taking the time), would you say that a 24/7 site to site setup is what you would go for if you were me? Is that the “correct” way to achieve what I need, or would you advice to go for another kind of setup? I’m all for learning all about this stuff, and I surely will, but considering my hurry (and the clock is ticking) I don’t have the time now to learn, implement and test different kinds of setups for what I need, so I want to spend the remaining time I have here doing what must be done instead of experimenting. Would you say that a 24/7 site to site setup would be the correct answer? The client being my parent’s main router and mine being the server?

And after doing that, port forwarding would work as if my parent’s devices (and router) ips were local (on my side), so all the port forwarding would have to be configured on my router as if those devices were just added to my local network? I’m going to read everything I can today about site to site if you think is the way to go, but just to know, since everything would be inside the same “local” network, should their devices be in the same subnet as the ones of my network?

Should I read this guide too? I surely will, I want to learn this stuff properly, but I have to choose wisely what guides to read now because, well, I’m leaving in a couple of days 😕 (and the guide you sent me, I must confess I saw that post yesterday, but the guide seems to be very complete, so I didn’t want to spend my remaining time reading something like that without being sure it’s the way to go).

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327810

And this post seems to be an important reading if I’m going to flash a build with OpenVPN 2.5, correct?

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326913

And I also found this link, when I want to learn something new about networks and DD-WRT I usually read the forums or the wiki, but since I have little time left I made a quick Google search and at least the tittle sounds like the perfect answer to my question, and apparently the article is written for people who don’t know much about VPN. Should I go this route? I’ll obviously read the guide that you suggest too.

https://kabri.uk/2017/11/19/creating-a-site-to-site-routed-vpn-using-dd-wrt-and-openvpn/

Sorry, I’m just trying to target the essential stuff I need to read in my remaining days at my parent’s to solve this, but I’ll read all I can when I get home. And thanks again, this is important to me and I really appreciate your help. Your answer already cleared some things I was confused about (like the basic “which should be server and client” thing. I was already banging my head against the wall because of simple things like that), so I can’t thank you enough 👍

PS: and sorry for my English 😕, I hope I’ve made myself clear enough.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Wed Mar 23, 2022 15:10    Post subject: Reply with quote
Indeed a 24/7 site-to-site setup would work, you can connect to your parents from your own home just by typing http://192.168.11.1 and you will get to the router of your parents.

Port forwarding (if necessary at all) should be done on your own router and you then port forward to 192.168.11.1.
But not sure if that is necessary, if you want to connect to your parents router when you are on the road then simply connect to your own VPN server, when connected you can reach everything connected to your own network and your parents network.

If you are going to use your VPN server to connect to when on the road and also use the site-to-site setup you have to work with CCD files and multiple client certificates.

The only guide you should need is the OpenVPN server setup guide.

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
raulo1985
DD-WRT Novice


Joined: 21 Jun 2019
Posts: 23

PostPosted: Sat Apr 09, 2022 16:00    Post subject: Reply with quote
Report

Hi there, I came to report. Sadly, I couldn’t manage to build the OpenVPN setup on time Crying or Very sad . Since I wasn’t getting anywhere trying to build a site-to-site setup and I’m learning about VPN on the run, I went down to basics and tried to establish a simple VPN tunnel between both routers (server-client), using your guide (almost same values as your screenshots) because I had the impression I was doing something wrong at a basic level. Turns out I couldn’t even establish the most standard VPN tunnel, the status page didn’t show any connections. So I looked at the syslog and there were some critic issues.

First, and idk why since I’m still a noob in this, tls auth didn’t work, I could get past that error message choosing tls crypt. Then I got an error message about not being able to resolve the host address. I figured it could be something related to dns, so I added dhcp-option DNS 8.8.8.8 in advanced config on the client router and could get past that (not sure if that’s a problem on the ISP dns servers not resolving ddns hostnames or something like that, but at least it worked using Google’s dns server), then lost client access to internet at some point (and couldn’t manage to troubleshoot it, I was in a hurry so I just nvram erased the client and configured it from scratch), had to trial and error the choice of cyphers (I managed to solve that with a particular combination which I don’t remember now sadly, but I think CHACHA20-POLY1305 didn’t work. I think the one that worked was AES-128-CBC, but can’t confirm), etc. It was a messy way of setting things up and perhaps I introduced issues because of that messiness (and didn’t have the time to collect logs), but because of that I nvram erased the routers from time to time to clear those possible issues up.

The wall that I couldn’t get past was a tls handshake time out error message that didn’t gave much info to know why that was happening. I would have come to you with the logs by then, but I’m talking about my last attempts at 4 am, with my flight taking off at 8 am, so all I could do by then was giving up setting up the VPN tunnel and getting their router back to its original configuration (modem bridged, router as gateway and wireless AP, pretty standard). I won’t be able to access their network as was the plan, but at least I left them with a working wifi and internet. Just because my parents know absolutely nothing about tech stuff other than browsing and youtubing, not a chance they can help me to set up OpenVPN, and sadly I don’t have a server or notebook there to just Teamviewer it and work things out from here. Things didn’t work out as I would have wanted to, but I learned a lot and I’m still learning about VPN, because I’m not giving up, I plan to travel again perhaps next month and solve this.

I know I didn’t give useful information to troubleshoot the issues, but I barely managed to restore their wifi and catch my flight (it was kind of an stressful day tbh), and for now I just wanted to report, and to let you know that I’ll be back (that sounded like a Terminator Laughing ) to finally solve this. I know I’m doing something wrong and that the setup I want is possible, so no reason to give up. I may get back to you and revive this thread (or make a new one) when I go there again if I can’t figure out things by myself, and I’ll use this time to read all I can about this topic (I like solving things by myself and learn, but sometimes you need a little help). And, well, I wanted to thank you again for your selfless help, even though the setup didn’t work, your advices and guides were a turning point in my process of understanding this feature (which I never felt the need to learn about) and I feel I’m on the right direction now. Thanks again 👍


A couple of questions

In the meantime, since idk when I’m going back to my parents, I wanted to ask you a couple of things (not sure if I should open another thread or not):

- I always looked at OpenVPN because of its history and tons of info, but I’m tempted to go with Wireguard. I’ve already read some about it and its pros and cons, but would you say it would be a better choice over OpenVPN considering my use case? I’ve read that a site-to-site setup is also possible, and I’m not sure how important is the IP logging “issue” every Wireguard review talks about as a security flaw of the protocol. What do you think? Which protocol would you use in my situation?

- Is current DD-WRT Wireguard implementation (server and client) good enough, or is it not as reliable as OpenVPN (mainly because its a newer protocol than OpenVPN)? I’ll surely read your guides anyway, doesn’t hurt to learn, but I wanted to know your opinion from an experience point of view (if you have any, of course) using Wireguard server and client from DD-WRT, not just on paper.

- The whole point of what I want to achieve is being able to access their devices for troubleshooting purposes when I’m not there (router, ip cameras, Google Nest wifi, etc), and for port forwarding (because of the ip cameras. Now they are able check them through the app locally, but those cameras don’t have a cloud service so the only way to check them outside of the house is by port forwarding, and they’re behind CG-NAT Crying or Very sad ). For now I don’t need to use the tunnel for other purposes, and surely I want both networks to use their respective ISP for internet traffic. Since I won’t be troubleshooting all the time, and we do need 24/7 remote access to the cameras per demand, would you advice to keep the tunnel working all the time? Or, for some reason, it would be wiser to disable the server side of the setup (my router, which has dynamic ip and I can access it with my phone whenever I want), and enable it just when I need to troubleshoot something / check the cameras? My point is that I really don’t know if, given my use case, keeping the tunnel up 24/7 could be less safe, or if it could shorten the lifespan of the routers because of constant workload. If you ask me, it would be simpler to have the tunnel working all the time so if my parents want to check the cameras they don’t have to talk to me to enable the server and re establish the tunnel, but it’s not a high price to pay if indeed is not a good idea to keep the tunnel up permanently if we are going to use it not as often. Of course, I’m assuming that, if I disable the server and don’t have access to the client, if I enable the server again the VPN connection will be automatically re established though, not sure about that.

Anyway, thanks again for your help. Next time I go to my parents I hope to have greater knowledge about this topic, so things go a little smoother than the last time. Greatly appreciate the time you take to reply (and for writing those great guides).

PS: all (failed) attempts at setting up the OpenVPN were done while using 48540 BS build on both routers (AC5300 as server, R7000 as client), and both nvram erased and set up from scratch. Pretty sure the issue is between the keyboard and the chair, hope to have better luck next time.


Last edited by raulo1985 on Sat Apr 09, 2022 21:53; edited 1 time in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2143
Location: All over YOUR webs

PostPosted: Sat Apr 09, 2022 16:13    Post subject: Re: Help needed (I’m in a hurry) for OpenVPN/PBR behind CG Reply with quote
raulo1985 wrote:
can you ask for more?

Clearly yes! Laughing Razz At least you presented a good case and aren't afraid to make an effort and typing a detailed description of the issue(s). So indeed thanks for that, often people who seek help cant even be bothered to type more than two sentences, expecting the world in return.

So this is a thanks from me for your effort.

You're in good hands, egc is the openvpn/wireguard expert around these parts, this community is lucky to have him and I personalty appreciate the hell out of his contributions and efforts.

As a side suggestion even if its too late, you could have always enabled remote access to the router in order to solve the issue remotely.

Good luck.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Sat Apr 09, 2022 16:31    Post subject: Reply with quote
My advice start simple with setting up the OpenVPN server on your router and test if that works with your phone on cellular, then you know you have a working server.

To keep it simple do not use TLS-auth/TLS-crypt key so just leave the key box empty.

You can always check if your DNS is working with the command:
nslookup
Both from the CLI of the router or from a connected client.

From the VPN troubleshooting guide:
Quote:
TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE

To check if you can reach the server from the client you can use the ping utility.
Beware not all servers answer to ping.

From the Windows cmd, the Fing app on your phone or ping from the CLI (telnet/Putty) if your client is a DDWRT or other router use:
ping ip-server-address
e.g. ping 8.8.8.8

If your server is a DDWRT router then by default it does not answer to ping so for this test you should disable/uncheck "Block Anonymous WAN Requests (ping)" on the Security tab of the DDWRT OpenVPN server.


It is possible that on your parents side with CG-NAT they are blocking certain ports e.g. 1194, consider using TCP4 and port 443

To answer your question, yes you can also use WireGuard to do this, it is considered perfectly safe:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

Site-to-Site setup is in the Advanced guide

As the making of the keys is integrated it is somewhat simpler to setup but still needs intermediate skills and some studying to setup in that respect it is not different form OpenVPN.
One big advantages of WireGuard is that it is much faster

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
raulo1985
DD-WRT Novice


Joined: 21 Jun 2019
Posts: 23

PostPosted: Sat Apr 09, 2022 21:47    Post subject: Reply with quote
egc wrote:
As a side suggestion even if its too late, you could have always enabled remote access to the router in order to solve the issue remotely.

Good luck.


Thanks for your words. I’m on your boat, the way I see it this is a fine peace of software that in a way improves our quality of life (by not having to deal with basic/unstable stock firmware, and letting us tweak all the settings that we should be able to tweak from the start, after all we paid for the thing), and we get it for free. The devs have lives, and still keep this project going for the joy of a lot of us. Least one can do is to put a little effort trying to solve things that most likely can be solved by yourself if you’re not lazy. I try to seek for help when I realize that I need it, not before. Asking without even knowing if the issue can be solved by yourself is just lazy imo.

And having to guess what other’s issues are by a few details that sometimes don’t even help, is kind of disrespectful towards the devs and community, I’ve never liked that kind of attitude. I’m a little old fashioned on that regard, if you want help, first make sure you need help by putting some effort. And if you realize you need help, give the info you think it’s relevant so others don’t lose their time trying to solve a problem by trying to understand what the problem is in the first place.

Appreciate the words, but I think that’s how always things should be, and not the other way around. I’m the one that’s grateful for people that I don’t know spent their time reading a lot of info just to try to help me without expecting nothing in return. I just can wish you the patience to help people that ask as if you already knew what’s happening, I don’t think they have bad intentions or anything like that so no point in being harsh, but that doesn’t mean asking for help thinking that people reading your problem can read your mind is not getting a little old. I don’t know if I had the patience to reply all those times.

Sorry, back on topic. You mean enabling remote web access? But they’re double natted at ISP side (CG-NAT), they don’t have a valid public ip. That’s the point of the VPN, to be able to port forward at the server by using a VPN tunnel and having my personal router be the server (I get dynamic ip, so ddns solves the problem). Unless you meant something else, remote access can’t be used, or am I wrong?

The plan is to make a site-to-site setup so that the client’s lan network can be accessed at server side, which has a public ip (dynamic, ddns). If I’m not mistaken, every device should be accesible from the outside by port forwarding (server). So: access to DD-WRT GUI, to ip cameras, etc. I understand that this is the only way to be able to use port forwarding when you’re behind CG-NAT, but I’m no expert. If you meant something else by enabling remote access, then discard all I said, and my apologies Laughing

egc wrote:
My advice start simple with setting up the OpenVPN server on your router and test if that works with your phone on cellular, then you know you have a working server.

To keep it simple do not use TLS-auth/TLS-crypt key so just leave the key box empty.

You can always check if your DNS is working with the command:
nslookup
Both from the CLI of the router or from a connected client.

From the VPN troubleshooting guide:
Quote:
TLS Error: TLS key negotiation failed to occur within 60 seconds
Server is not reachable i.e. you have a network connection error (unless you are using TLS-crypt which is not setup correctly):
• Check server address/DDNS
• Check DDNS,
• Check port,
• Check Port Forward if server is not on the primary router.
• Check /disable firewall
• Sometimes an ISP blocks often used ports, Check with your ISP and/or use TCP port 443, this is not blocked.
• Older DDWRT version block UDP ports when SFE is enabled, so when in doubt disable SFE

To check if you can reach the server from the client you can use the ping utility.
Beware not all servers answer to ping.

From the Windows cmd, the Fing app on your phone or ping from the CLI (telnet/Putty) if your client is a DDWRT or other router use:
ping ip-server-address
e.g. ping 8.8.8.8

If your server is a DDWRT router then by default it does not answer to ping so for this test you should disable/uncheck "Block Anonymous WAN Requests (ping)" on the Security tab of the DDWRT OpenVPN server.


It is possible that on your parents side with CG-NAT they are blocking certain ports e.g. 1194, consider using TCP4 and port 443

To answer your question, yes you can also use WireGuard to do this, it is considered perfectly safe:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

Site-to-Site setup is in the Advanced guide

As the making of the keys is integrated it is somewhat simpler to setup but still needs intermediate skills and some studying to setup in that respect it is not different form OpenVPN.
One big advantages of WireGuard is that it is much faster


Hi there, like I said earlier, thanks again man. Things didn’t work out as expected, but your guides are excellent and I’m sure I’ll be more prepared the next time I go see my parents. The setup is possible, the firmware supports it, firmware version has been reasonably tested, and both routers are perfectly fine. Ergo, I surely made a (or many) mistakes. But that’s good news, because that’s something I can change, and for free. But I’ll shout for help here if I’m stucked again, that’s for sure Laughing

I’ll start reading the Wireguard guides. But on the meantime, asking for some of your experience/knowledge doesn’t hurt. A couple of questions/comments:

- I’ll do what you suggest (start from scratch, set up the OpenVPN server and test with my phone).

- Just to know, tls auth and crypt are not adviced to be used in DD-WRT for now? Or did you mean doing that only for testing/troubleshooting purposes?

- Yep, next time I’ll use nslookup. But could it be an ISP dns server problem that prevented the client to resolve the host address? Everything was configured almost exactly as your guide screenshot, that issue got fixed as soon as I added the dhcp-option… line, so it wasn’t an issue of the ddns service I used. Anyway, Google’s dns server solved that issue, just wanted to mention it, I found that interesting.

- For the record (sorry, didn’t mention it), I used the standard port, but then changed it to 1198 thinking 1194 could be a port blocked by the ISP, but it didn’t fix the issue. Didn’t try with other free ports, though, just 1198 (random choice. Perhaps I should have tried with a different free port, I wasn’t very creative with that one).

Always used UDP, never tried TCP. And SFE was always disabled on both routers. The dns issue was solved and I got to the handshake error. That was the point were I gave up, seemed like an issue that I was going to spend some time troubleshooting, and the plane wasn’t going to wait for my VPN tunnel to be up and running. But I felt like I almost got there, so I’ll most likely have better luck next time.

Bonus question:

Most likely you saw this one coming Laughing . In my situation and considering your experience on this matter, would you choose OpenVPN or Wireguard, and why? I didn’t start reading a little about Wireguard because it’s known to be easier to set up, I have no problem learning if things are more complicated than I thought, it was because of Wireguard being faster. I don’t need that much bandwidth for accessing the router or configuring a couple of devices, but because of the cameras not having a cloud service, they can only be viewed through a TCP connection, so I guess that traffic is going to go through the tunnel and not by regular internet. And the cameras use a decent amount of bandwidth.

I don’t think they are close to being restricted by OpenVPN max bandwidth, though, so I’m not sure if Wireguard’s performance would make a difference in my case. What do you think? Any particular reason why you would choose one over the other? Or just personal preference (and if so, why Laughing )?

The routers are AC5300 (server) and R7000 (client), and probably they’re going to have the same DD-WRT build flashed, to avoid possible issues (probably latest BS stable build).

Thanks again!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Sun Apr 10, 2022 7:45    Post subject: Reply with quote
About TLS-auth/TLS-crypt key, I do not use it as I am perfectly fine (=safe) without it.

If you want it at least do not start with it, start simple and get a working connection first and then add complexity.

I use both OpenVPN and WireGuard, WireGuard is somewhat easier to setup but it is your call.

Only when you are a high level government target and want the absolute proven safety I would use OpenVPN (with tls-crypt key)
But that is just my personal opinion Smile

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
raulo1985
DD-WRT Novice


Joined: 21 Jun 2019
Posts: 23

PostPosted: Sat Apr 16, 2022 5:06    Post subject: Reply with quote
egc wrote:
About TLS-auth/TLS-crypt key, I do not use it as I am perfectly fine (=safe) without it.


Got it. Do you know if current DD-WRT implementation is better with auth or crypt? Can’t find a clear answer to that question.

egc wrote:
If you want it at least do not start with it, start simple and get a working connection first and then add complexity.


Will do. Last time was a mess, it wasn’t enough time, I tried to learn on the run and managed to get past some issues, but got stuck and didn’t have time to come here with the logs. Tried my best, but with the clock ticking, so it wasn’t a clean config at all. Next time I’ll be more knowledgeable/prepared, and will go one step at a time to not break things up.

I got a feeling that at some point I even got nvram issues after a nvram erase, the router became very unstable and had to reset. I added too many unnecessary steps, and ultimately had to give up because of time. But good thing is that I got a good grasp of what this topic is about (very basic knowledge, but it’s a start and didn’t have it before), so it doesn’t feel as wasted time even though the results were back to square one. But regarding knowledge, I may not be an advanced user at all (yet), but I’m not in square one anymore 👍 . That’s better than nothing.

egc wrote:
I use both OpenVPN and WireGuard, WireGuard is somewhat easier to setup but it is your call.

Only when you are a high level government target and want the absolute proven safety I would use OpenVPN (with tls-crypt key)
But that is just my personal opinion Smile


The difficulty of setting them up, unless we are talking about compiling, C++ Linux voodoo stuff, it’s not a problem. I knew nothing about setting up a VPN and tried to do it learning about OpenVPN in a couple of nights, I usually don’t have a problem learning if what I’m learning is worth it. Anyway, apparently OpenVPN, if only talking about a site-to-site setup, just differs in small details and in the cert and key making process compared to Wireguard (which I already learned and created using easy-rsa 3 for OpenVPN), difficulty in that particular regard is not an issue.

And well, I’m not a government target other than for taxes 🤷🏻‍♂️, so I guess I’m good with both of them. You mentioned the above because OpenVPN is a little safer than Wireguard? I read that they were equivalent in recent builds, but I’m no expert. And I’ll test without auth or crypt first, but if things work out, is it advisable tls-crypt over tls-auth? Any impact with that setting performance wise?

Ultimately, the purpose of all of this is clear: to build a site-to-site to my parents network (another subnet), because they are double natted at ISP side (CG-NAT, I hate it), and need port forwarding for their IP cameras (troubleshooting and viewing) and to troubleshoot the router itself. As I understand, the IP cameras traffic would go through the tunnel as local, so port forwarding can be used at server side (my home network, which has public ip and ddns) to access and also view through the cameras. Their media traffic, as far as I understand won’t go through client’s WAN, they don’t have a cloud service and their local IP/port is not reachable from the outside without a VPN tunnel to a server that has a public IP.

If that’s correct, wouldn’t be Wireguard advisable in my use case? Safety wise both are apparently equal, and I don’t need that much bandwidth to access the cameras or router, but the media is another story. So far there’s one 5MP camera there that usually transfers at 6,000-8,000 kbps, but in the future I plan to install two or three more (so probably three cameras using that bandwidth 24/7, and perhaps a fourth one afterwards). Wireguard is known to be a lot faster than OpenVPN because it works at kernel space instead of user space, but I don’t think the bandwidth I’m going to use maxes out OpenVPN capacity. But thinking long term, who knows.

Is there a particular reason besides the apparently slighter better security that you choose OpenVPN over Wireguard? If not using tls-crypt or auth, would you still go with OpenVPN? Or if taking out the security aspect it all comes down to a personal preference in your case? Like I said, difficulty or a steeper learning curve is not an issue for me, I should be able to set both up with a little more effort.

In my use case, the stating routing issue that use to appear in Wireguard reviews could be an issue for me?

If not maxed out, do you think that performance is similar (OpenVPN vs Wireguard), or do you notice any difference with same tasks (because of some latency differences or things like that)?

For now, I see both options as valid for my intended purposes, both can achieve a site-to-site setup, my routers and firmwares support it, and key and cert creation is already done (and learnt how to). So would you go with Wireguard because of performance considering the cameras? Or OpenVPN is still more than enough if someday I go crazy and install like 8 cameras? Security is not a big deal in my case, I know both protocols are very safe even without tls encryption and I’m not an intersting dude to be hacking.

Oh, and I already read some things about Wireguard. Since it’s a newer tech and OpenVPN has a bigger user base, do you see Wireguard as the future of VPN? Or do you think OpenVPN is gonna catch Wireguard up in performance and Wireguard could slowly fade away in OpenVPN’s favor? Just curious Razz

OpenVPN or Wireguard, that is the question.

Btw, thanks again 👍
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Sat Apr 16, 2022 7:26    Post subject: Reply with quote
It is just a matter of personal preference both WireGuard and OpenVPN will get the job done in your case.

WireGuard is the new kid on the block but OpenVPN is here to stay Smile

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum